CVE-2026-33407 is a Server-Side Request Forgery (SSRF) vulnerability identified in ellite's Wallos, a self-hostable personal subscription tracker application. The flaw exists in versions prior to 4.7.0, where the application’s endpoint at endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables from user input without proper validation or sanitization. This improper handling allows attackers to manipulate proxy settings used by the server when performing DNS resolution on user-supplied search terms. Since the server resolves these search terms, an attacker can craft inputs that cause the server to send outbound requests to arbitrary domains through attacker-controlled proxies. This proxy hijacking can be leveraged to bypass network restrictions, access internal services, or exfiltrate sensitive information. The vulnerability is classified under CWE-918 (SSRF) and CWE-922 (Incomplete Control of Resource Identifiers). The CVSS v4.0 score is 8.3 (high severity), reflecting the vulnerability’s network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and availability. The vulnerability has been patched in Wallos version 4.7.0, and no public exploits have been reported yet. However, the nature of SSRF and proxy manipulation poses a significant risk if exploited.

The SSRF vulnerability in Wallos can have severe consequences for organizations deploying affected versions. Attackers can exploit this flaw to make the server initiate unauthorized requests to internal or external systems, potentially bypassing firewalls or network segmentation. This can lead to unauthorized access to sensitive internal services, data leakage, or disruption of service availability. Since Wallos is a personal subscription tracker, it may be deployed in small to medium organizations or by individuals, but if integrated into larger environments or exposed to the internet, the risk escalates. The ability to hijack proxy settings increases the attack surface, enabling attackers to route malicious traffic through the victim server, complicating detection and attribution. The lack of authentication or user interaction requirements further increases the threat, allowing remote attackers to exploit the vulnerability at scale. Organizations could face data breaches, service outages, or lateral movement within their networks if this vulnerability is exploited.

To mitigate this vulnerability, organizations should immediately upgrade Wallos to version 4.7.0 or later, where the issue has been patched. Until upgrading is possible, administrators should disable or restrict the use of HTTP_PROXY and HTTPS_PROXY environment variables within the application environment to prevent proxy hijacking. Implement strict input validation and sanitization on all user-supplied data, especially those influencing network requests or environment variables. Network-level controls such as egress filtering and firewall rules should be enforced to restrict outbound traffic from the Wallos server to only trusted destinations. Monitoring and logging outbound requests from the application can help detect anomalous behavior indicative of SSRF exploitation attempts. Additionally, consider deploying web application firewalls (WAFs) with SSRF detection capabilities. Regular security assessments and code reviews focusing on environment variable handling and external request logic are recommended to prevent similar issues.